Discover your moment on Lufthansa.Microsoft message to security world: Trust Us
In a keynote at the RSA conference last year, Microsoft Chairman Bill Gates and Craig Mundie, chief research and strategy officer, said the company had more to do to improve security.
Microsoft's Craig Mundie on stage at RSA 2008.
(Credit: Corinne Schulz/CNET News.com)A year later, not much has changed.
Mundie and Chris Leach, chief information security officer at Affiliated Computer Services, followed talking points about Microsoft's latest vision for End to End Trust, describing it as an industry call to action.
"The foundation has been laid for good security practices," Mundie said. "The challenge now is related to management practices."
It's all about establishing that you are who you say you are.
"We need new forms of credential," Mundie said. "You should be able to present a cert (certificate) that says, 'Hey, I'm over the age of 18'...and allow a Web site to know that you are an adult."
Mundie was laying out the parameters for Microsoft's vision for security so that the interested parties would build around the company's framework.
As if on cue, he said: "The overall management systems today are not integrated enough, they're too complicated. That has been a major focus for Microsoft." And he mentioned some Microsoft products that solve those problems.
I showed Bruce Schneier, chief security technology officer for BT, the End to End Trust documents and he said "it feels general and like marketing hype." The notion that the world needs centralized authentication "is just silly," he added.
Basically, Microsoft has used its trusted computing efforts, such as inserting identity rights management into Office 2003, to lock people into using its products, Schneier said.
"Microsoft has used this as an anti-competitive tool," he said.
In a briefing on Monday, George Stathakopoulos, general manager of Microsoft's Trustworthy Computing group, was mentally prepared for the criticism.
"With everything we do, there is always skepticism and conspiracy theories," he said. "The answer is no; this is for real."
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 and previously covered search, online advertising, and portals. E-mail Elinor.
It is good for tracking people though. Which is the real motivations for these types of proposals.
MS has never and will never care about security. They ignored security for so long and the only thing they have to to try and address it is poorly thought out edge solutions and using minor roadblocks.
MS software is the most exploited because it is the easiest to do. Nothing will change until the build an OS from scratch with security as its center of attention.
It is good for tracking people though. Which is the real motivations for these types of proposals.
MS has never and will never care about security. They ignored security for so long and the only thing they have to to try and address it is poorly thought out edge solutions and using minor roadblocks.
MS software is the most exploited because it is the easiest to do. Nothing will change until the build an OS from scratch with security as its center of attention.
have your best interests in mind."
Can anyone think of a funnier joke than that? I can't.
have your best interests in mind."
Can anyone think of a funnier joke than that? I can't.
Dear Craig - remember (oops, perhaps not) your own XENIX and its Trusted XENIX version (Yes - Microsoft sold a version of UNIX for many years and still apparently owns the XENIX trademark); the Palladium/NGSCB project and the "Ring -0" Intel Pentium; the Windows'NT hardening exercise in the mid-1990s (a B1/B2 version for government), and on and on.
No application, no middleware, no comms/authentication stack and so on can be more secure than the hardware and OS on which it all runs. Intel knew that with the 286 to Pentium chip design (IBM PC/AT onwards) with its 4 rings of protection (ignored by Microsoft Windows'NT/2000/XP/VISTA and, unfortunately, also by UNIX/LINUX but NOT, in part, by Microsoft-IBM's OS/2), memory segmentation to prevent overflow etc (ignored again), memory typing - separating code, data and stack (ignored) and on and on. Intel designed the 286 to Pentium CPUs around the principles of security of the MULTICS system of 40 years ago - and we have not got any further except for the excellent efforts of the NSA with its SELinux offering.
Craig - get over it - what we need is a secure operating system with a modernised and rethought version of "Mandatory Access Control (MAC)" which enables us to categorise and protect the base components of the system as it connects to the untrusted and dangerous global Internet. We have one possible base now - and have had it for almost 10 years!!! It is SELinux ....
What we need is for Microsoft to understand what has been done and look at how the work of SELinux and allied activity can be incorporated into modern operating systems structures - the base for security and information assurance.
For example, fancy allowing untrusted device drivers from unknown sources into the same kernel area as the trust platform/reference monitor of the OS - Microsoft did with Windows NT 4 onwards!
(Remember Ring 1 - oops - Alzheimer's again.)
Forget patching and other software quality problems - that are related to but not real security architecture schemes - the base design of the OS has to be secure and developed today around new concepts of mandatory access control
( and Government has to take the lead by insisting such in procurement ).
Palladium was a start at Microsoft - Craig - what happened to that!!! Remember "Nexus", remember trusted drivers, remember ..... oh well ... perhaps not. Microsoft Alzheimer's again!
Dear Craig - remember (oops, perhaps not) your own XENIX and its Trusted XENIX version (Yes - Microsoft sold a version of UNIX for many years and still apparently owns the XENIX trademark); the Palladium/NGSCB project and the "Ring -0" Intel Pentium; the Windows'NT hardening exercise in the mid-1990s (a B1/B2 version for government), and on and on.
No application, no middleware, no comms/authentication stack and so on can be more secure than the hardware and OS on which it all runs. Intel knew that with the 286 to Pentium chip design (IBM PC/AT onwards) with its 4 rings of protection (ignored by Microsoft Windows'NT/2000/XP/VISTA and, unfortunately, also by UNIX/LINUX but NOT, in part, by Microsoft-IBM's OS/2), memory segmentation to prevent overflow etc (ignored again), memory typing - separating code, data and stack (ignored) and on and on. Intel designed the 286 to Pentium CPUs around the principles of security of the MULTICS system of 40 years ago - and we have not got any further except for the excellent efforts of the NSA with its SELinux offering.
Craig - get over it - what we need is a secure operating system with a modernised and rethought version of "Mandatory Access Control (MAC)" which enables us to categorise and protect the base components of the system as it connects to the untrusted and dangerous global Internet. We have one possible base now - and have had it for almost 10 years!!! It is SELinux ....
What we need is for Microsoft to understand what has been done and look at how the work of SELinux and allied activity can be incorporated into modern operating systems structures - the base for security and information assurance.
For example, fancy allowing untrusted device drivers from unknown sources into the same kernel area as the trust platform/reference monitor of the OS - Microsoft did with Windows NT 4 onwards!
(Remember Ring 1 - oops - Alzheimer's again.)
Forget patching and other software quality problems - that are related to but not real security architecture schemes - the base design of the OS has to be secure and developed today around new concepts of mandatory access control
( and Government has to take the lead by insisting such in procurement ).
Palladium was a start at Microsoft - Craig - what happened to that!!! Remember "Nexus", remember trusted drivers, remember ..... oh well ... perhaps not. Microsoft Alzheimer's again!
What good is perfect identification if you can't secure the user, the operating system, the applications, the channel to the server, the server's operating system OR the server's backup tapes? All you're doing with perfect identification there is perfectly identifying who's getting their identity stolen. You're not making it harder to do the stealing.
"Trust us?" Yougottabekidding.
What good is perfect identification if you can't secure the user, the operating system, the applications, the channel to the server, the server's operating system OR the server's backup tapes? All you're doing with perfect identification there is perfectly identifying who's getting their identity stolen. You're not making it harder to do the stealing.
"Trust us?" Yougottabekidding.
(especially since the "track record" of Microsoft doesn't strike one as being especially security minded)
(especially since the "track record" of Microsoft doesn't strike one as being especially security minded)
Yes, they have a track record. That's probably better than most. It's funny to read comments from *individuals* who actually have no idea of the scale of the ecosystem that Microsoft covers. Or worse, maybe do, and simply responds with "religion" - quite a common affliction I might say.
Yup, close a system, until you're sued to open them up. Haven't we been here before? Striking this balance is something only a Microsoft truly has an idea about - the scale and complexity of this is mind boggling.
And that's just it. MS isn't just Microsoft. It's actually an ecosystem, that powers 90%++ of the worlds desktops - you know, that ecosystem that actually allows all these new great ideas and services and technologies to have an industry to build on in the first place. Say what you will, but that ecosystem is what makes a Google, a Yahoo, a MySpace, an Amazon, iTunes, flash drives, solid state drives, Web 2.0, 3.0 100.0, etc., a viable business model.
Ergo, ideas from MS, such as that presented above, may sound ridiculous to some. But do take a moment to pause. It takes experience, and scale to have a valid view of the "landscape", the ecosystem, and comment about it - lest you make yourself truly the ridiculous one, and not even know it.
That said, unless there's somebody here who can claim to have the scale and experience, of a MS, allowing him/her quite a view indeed of the landscape he/she is commenting about, I'll take MS's word over yours any day.
- Better Them Than Commenters
-
by EdSF
April 9, 2008 7:43 AM PDT
- As expected, a lot of flack is thrown at MS when security is the topic of discussion. Yes, their track record isn't great. And yes, they continue to have problems to solve.
-
Reply to this comment
View
reply
-
-
See all 36 Comments >>Yes, they have a track record. That's probably better than most. It's funny to read comments from *individuals* who actually have no idea of the scale of the ecosystem that Microsoft covers. Or worse, maybe do, and simply responds with "religion" - quite a common affliction I might say.
Yup, close a system, until you're sued to open them up. Haven't we been here before? Striking this balance is something only a Microsoft truly has an idea about - the scale and complexity of this is mind boggling.
And that's just it. MS isn't just Microsoft. It's actually an ecosystem, that powers 90%++ of the worlds desktops - you know, that ecosystem that actually allows all these new great ideas and services and technologies to have an industry to build on in the first place. Say what you will, but that ecosystem is what makes a Google, a Yahoo, a MySpace, an Amazon, iTunes, flash drives, solid state drives, Web 2.0, 3.0 100.0, etc., a viable business model.
Ergo, ideas from MS, such as that presented above, may sound ridiculous to some. But do take a moment to pause. It takes experience, and scale to have a valid view of the "landscape", the ecosystem, and comment about it - lest you make yourself truly the ridiculous one, and not even know it.
That said, unless there's somebody here who can claim to have the scale and experience, of a MS, allowing him/her quite a view indeed of the landscape he/she is commenting about, I'll take MS's word over yours any day.